IoTFuzzer: Discovering Memory Corruptions in IoT Through App-based Fuzzing
Jiongyi Chen1, Wenrui Diao2, Qingchuan Zhao3, Chaoshun Zuo3, Zhiqiang Lin3,4, XiaoFeng Wang5,
Wing Cheong Lau1, Menghan Sun1, Rongai Yang1, and Kehuan Zhang1
Chinese University of Hong Kong1, Jinan University2, University of Texas at Dallas3, Ohio State University4, Indiana University Bloomington5
NDSS2018
PresentedByMdMahbuburRahman
WayneStateUniversity
Outline
• IoTTrend• Motivation• IoTFuzzer(Thispaper)• Challenges• Architecture:IoTFuzzer• ImplementationandEvaluation• Conclusion
2
Internet of Things (IoT) Market
• Applications• SmartHome,SmartCity,AgriculturalIoT,etc.
• Marketgrowthby2020• 20.4billionIoTdevices• $3trillion
• SmartHome• $53.45billionby2022
SmartHomemarketvalue(Source:ZionResearchAnalysis2017)
3
Is IoT Secure?
• NOTreally!
• Attacks:2014-2016• Morethan90independentIoTattacks[N.Zhangetal.,CoRR2017]
• MiraibotnetattackonOct12,2016• OnlineIoTdevices(e.g.,IPcameras,homerouters,etc.)areturnedintobots• DistributedDenial-of-service(DDoS)attacksononlineservices
• Reaperbotnetattack
FirmwaresoftheIoTdevicesarenotproperlyimplemented&
protected!!
4
What’s Done!
• Fewattemptshavebeenmadethatcloselydealwithfirmwares.[Davidsonetal.USENIXSec.’13,Cuietal.NDSS’13,ChenBlackHat’09,Shoshitaishvilietal.NDSS’15]
• Limitations• Firmwareacquisition:vendorsmaynotmakeitpublic
• Firmwareidentification&unpacking:unknownarchitecture,proprietarycompression/encryption
• Executableanalysis:requireslotsofmanualeffortsandisnotaccurate
5
ItisworthlookingintotheIoTofficialapplications
IoT Official Application
• ControlsandmanagesIoTapplications
6
ContainsrichinformationabouttheIoTsystem
Courtesy:Authors
IoTFuzzer: A Firmware-free Fuzzing Framework
• DetectsmemorycorruptionsinIoTdevices• Null-pointerexceptions,bufferoverflow,out-of-boundaccesses,etc.
• Leveragesofficialappsandprogramlogicstocreatemeaningfultestmessages
• Fuzzesinaprotocol-guidedwaywithoutexplicitlyreverseengineeringtheprotocols
7
IoTFuzzer: Challenges
• Diversedataformatsandprotocols• XML,JSON,key-valuepairs
• Proprietarycryptographicfunctions
• Crashmonitoring• Howtodeterminethereal-timestatusofthedevice?
8
TP-LinkKasaCodeSnippet
IoTFuzzer: Solutions
• Diversedataformatsandprotocols• Mutateprotocolfieldsbeforetheyareconstructedasmessage
• Proprietarycryptographicfunctions• Reusecryptographicfunctionsintheruntime
• Crashmonitoring• Insertheartbeatmessages
9
IoTFuzzer: Scope and Assumptions
• Goal:Automaticallygenerateprotocol-awaremessagestotheIoTdevicestodiscovermemorycorruptions
• Assumptions• IoTdeviceundertestingareconfigurableandcontrollablewithmobileapps• Wi-Ficommunicationprotocol• Androidapps
10
IoTFuzzer: Architecture
• 2-phasearchitecture
• Phase1:• Appanalysis
11
IoTFuzzer: Architecture
• 2-phasearchitecture
• Phase1:• Appanalysis
• Phase2:• Fuzzing
12
IoTFuzzer: Architecture – Phase 1
q UIAnalysis• CallPathConstruction
• IdentifynetworkingUIelementsbyconstructingcallpathsfromnetworkingAPIstoUIeventhandlers
• NetworkingAPIs:URL.openConnection(),Socket.getOutputStream(),etc• Androguard[1]
• ActivityTransitionGraphConstruction• TotriggernetworkingAPIevents• Monkeyrunner[2]
13
1. “Androguard:Reverseengineering,MalwareandgoodwareanalysisofAndroidapplications,”https://github.com/androguard/androguard2.“monkeyrunner,”https://developer.android.com/studio/test/monkeyrunner/index.html
IoTFuzzer: Architecture – Phase 1
• TaintAnalysis• Identifyprotocolfields(variables)andfunctions• TaintDroid[W.Encketal.TOCS’14]
• TaintSources:strings,systemAPIs,userinputs
• TaintSinks:datausedatnetworkingAPIsandencryptionfunctions
• CryptographicFunctionIdentification• Lotsofrelatedwork• IoTFuzzeremploysalightweighttechnique• Cryptographicfunctionscontainarithmeticoperationsandcalledduringthemessagedeliveryexecution
14
IoTFuzzer: Architecture – Phase 1
15
Codeexample
TaintTrackingOutput
IoTFuzzer: Architecture – Phase 2
q RuntimeMutation• FunctionHooking
• Dynamicallyhookstherecordedfunctionsandmutatetheprotocolfieldsatruntimetogenerateprobemessages
• Xposed[3]
• FuzzingScheduling:tofuzzonlyasubsetofallprotocolfields
• FuzzingPolicy:• Changethelengthofthestringstocheckoverflowandout-of-boundaccess• Changeinteger,double,orfloat(largevalues)tocheckoverflowandout-of-boundaccess• Changeobjecttypesandprovideemptyvaluestocheckmisinterpretationandnull-pointerexepction
161. Rovo89,“XposedModuleRepository,”http://repo.xposed.info/
IoTFuzzer: Architecture – Phase 2
q Responsemonitoring• ResponseTypes
• Expectedresponse• Unexpectedresponse• Noresponse• Disconnection
• CrashDetection• TCP-basedconnection:disconnection• UDP-basedconnection:insertaheartbeatmessageafterevery10probemessages
17
Implementation
• Implementedon17off-the-shelfIoTdevices(appsareavailableonGooglePlay)
18
Evaluation
• TestingEnvironment• UIAnalysis:Ubuntu14-04IntelCorei7quad-core2.81GHzCPU8GBRAM• TaintTracking:Google’sNexus4• Network:FullycontrolledlocalWi-Fi
• 15memorycorruptionswerefoundincluding8previouslyunknown
19
Evaluation
• Fuzzingaccuracy
20
Conclusion
• IoTFuzzer:Limitations• OnlysupportWi-Ficonnections• Canonlyfuzzapp-relatedcodeinIoTdevices• Onlydetectsmemoryrelatedcorruptionsthatleadtocrashes
21
Questions?
22